Privilege Actions¶

On this page

Query and Write Actions
Database Management Actions
Deployment Management Actions
Change Stream Actions
Replication Actions
Sharding Actions
Server Administration Actions
Session Actions
Free Monitoring Actions
Diagnostic Actions
Internal Actions

Privilege actions define the operations a user can perform on a resource. A MongoDB privilege comprises a resource and the permitted actions. This page lists available actions grouped by common purpose.

MongoDB provides built-in roles with pre-defined pairings of resources and permitted actions. For lists of the actions granted, see Built-In Roles. To define custom roles, see Create a User-Defined Role.

Query and Write Actions¶

find¶

User can perform the following commands, and their equivalent helper methods:

aggregate for all pipeline operations except $collStats, $out, and $indexStats.
checkShardingIndex
count
dataSize
distinct
filemd5
find
geoSearch
getLastError
getMore
killCursors, provided that the cursor is associated with a currently authenticated user.
listCollections
listIndexes
mapReduce with the {out: inline} option.
resetError (Deprecated)

Required for the query portion of the mapReduce command and db.collection.mapReduce helper method when outputting to a collection.

Required for the query portion of the findAndModify command and db.collection.findAndModify helper method.

Required on the source collection for the cloneCollectionAsCapped and renameCollection commands and the db.collection.renameCollection() helper method.

For MongoDB 4.0.6+:: If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run with authorizedDatabases option unspecified or set to true.

For MongoDB 4.0.5:: If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege if the command is run with authorizedDatabases option unspecified or set to true.

For MongoDB 4.0.0-4.0.4:: If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege.

Apply this action to database or collection resources.

insert¶

User can perform the following commands and their equivalent methods:

Required for the output portion of the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection.

Required for the aggregate command and db.collection.aggregate() helper method when using the $out or $merge pipeline operator.

Required for the update and findAndModify commands and equivalent helper methods when used with the upsert option.

Required on the destination collection for the following commands and their helper methods:

Apply this action to database or collection resources.

remove¶

User can perform the delete command and equivalent helper method.

Required for the write portion of the findAndModify command and db.collection.findAndModify() method.

Required for the mapReduce command and db.collection.mapReduce() helper method when you specify the replace action when outputting to a collection.

Required for the aggregate command and db.collection.aggregate() helper method when using the $out pipeline operator.

Apply this action to database or collection resources.

update¶

User can perform the update command and equivalent helper methods.

Required for the mapReduce command and db.collection.mapReduce() helper method when outputting to a collection without specifying the replace action.

Required for the findAndModify command and db.collection.findAndModify() helper method.

Apply this action to database or collection resources.

bypassDocumentValidation¶

New in version 3.2.

Users can bypass document validation on commands and methods that support the bypassDocumentValidation option. The following commands and their equivalent methods support bypassing document validation:

Apply this action to database or collection resources.

useUUID¶

New in version 3.6.

User can execute the following commands using a UUID as if it were a namespace:

For example, this privilege authorizes a user to run the following command which executes a find command on a collection with the given UUID. In order to be successful, this operation also requires that the user is authorized to execute the find command on the collection namespace corresponding to the given UUID.

copy

db.runCommand({find: UUID("123e4567-e89b-12d3-a456-426655440000")})

For more information on collection UUIDs, see Collections.

Apply this action to the cluster resource.

Database Management Actions¶

changeCustomData¶: User can change the custom information of any user in the given database. Apply this action to database resources.

changeOwnCustomData¶: Users can change their own custom information. Apply this action to database resources. See also Change Your Password and Custom Data.

changeOwnPassword¶: Users can change their own passwords. Apply this action to database resources. See also Change Your Password and Custom Data.

changePassword¶: User can change the password of any user in the given database. Apply this action to database resources.

createCollection¶: User can perform the db.createCollection() method. Apply this action to database or collection resources.

createIndex¶: Provides access to the db.collection.createIndex() method and the createIndexes command. Apply this action to database or collection resources.

createRole¶: User can create new roles in the given database. Apply this action to database resources.

createUser¶: User can create new users in the given database. Apply this action to database resources.

dropCollection¶: User can perform the db.collection.drop() method. Apply this action to database or collection resources.

dropRole¶: User can delete any role from the given database. Apply this action to database resources.

dropUser¶: User can remove any user from the given database. Apply this action to database resources.

enableProfiler¶: User can perform the db.setProfilingLevel() method. Apply this action to database resources.

grantRole¶: User can grant any role in the database to any user from any database in the system. Apply this action to database resources.

killCursors¶

Starting in MongoDB 4.2, users can always kill their own cursors, regardless of whether the users have the privilege to killCursors. As such, the killCursors privilege has no effect in MongoDB 4.2+.

In MongoDB 3.6.3 through MongoDB 4.0.x, users require killCursors privilege to kill their own curors when access control is enabled. Cursors are associated with the users at the time of cursor creation. Apply this action to collection resources.

killAnyCursor¶: New in version 3.6.3.

User can kill any cursor, even cursors created by other users. Apply this action to collection resources.

revokeRole¶: User can remove any role from any user from any database in the system. Apply this action to database resources.

setAuthenticationRestriction¶

New in version 3.6.

User can specify the authenticationRestrictions field in the user document when running the following commands:

User can specify the authenticationRestrictions field in the role document when running the following commands:

Note

The following built-in roles grant this privilege:

The userAdmin role provides this privilege on the database that the role is assigned.
The userAdminAnyDatabase role provides this privilege on all databases.

Transitively, the restore and root roles also provide this privilege.

Apply this action to database resources.

unlock¶: User can perform the db.fsyncUnlock() method. Apply this action to the cluster resource.

viewRole¶: User can view information about any role in the given database. Apply this action to database resources.

viewUser¶: User can view the information of any user in the given database. Apply this action to database resources.

Deployment Management Actions¶

authSchemaUpgrade¶: User can perform the authSchemaUpgrade command. Apply this action to the cluster resource.

cleanupOrphaned¶: User can perform the cleanupOrphaned command. Apply this action to the cluster resource.

cpuProfiler¶: User can enable and use the CPU profiler. Apply this action to the cluster resource.

inprog¶: User can use the db.currentOp() method to return information on pending and active operations. Apply this action to the cluster resource.

Changed in version 3.2.9: Even without the inprog privilege, on mongod instances, users can view their own operations by running db.currentOp( { "$ownOps": true } ).

invalidateUserCache¶: Provides access to the invalidateUserCache command. Apply this action to the cluster resource.

killop¶: User can perform the db.killOp() method. Apply this action to the cluster resource.

Changed in version 3.2.9: Even without the killop privilege, on mongod instances, users can kill their own operations.

planCacheRead¶

User can run the following operations:

$planCacheStats aggregation stage.

Apply this action to database or collection resources.

planCacheWrite¶: User can perform the planCacheClear command and the PlanCache.clear() and PlanCache.clearPlansByQuery() methods. Apply this action to database or collection resources.

storageDetails¶: User can perform the storageDetails command. Apply this action to database or collection resources.

Change Stream Actions¶

changeStream¶: User with changeStream and find on the specific collection, all non-system collections in a specifc database, or all non-system collections across all databases can open change stream cursor for that resource.

Replication Actions¶

appendOplogNote¶: User can append notes to the oplog. Apply this action to the cluster resource.

replSetConfigure¶: User can configure a replica set. Apply this action to the cluster resource.

replSetGetConfig¶

User can view a replica set’s configuration. Provides access to the replSetGetConfig command and rs.conf() helper method.

Apply this action to the cluster resource.

replSetGetStatus¶: User can perform the replSetGetStatus command. Apply this action to the cluster resource.

replSetHeartbeat¶: User can perform the replSetHeartbeat command. Apply this action to the cluster resource.

replSetStateChange¶: User can change the state of a replica set through the replSetFreeze, replSetMaintenance, replSetStepDown, and replSetSyncFrom commands. Apply this action to the cluster resource.

resync¶: User can perform the resync command. Apply this action to the cluster resource.

Sharding Actions¶

addShard¶: User can perform the addShard command. Apply this action to the cluster resource.

clearJumboFlag¶

Available starting in 4.2.3 and 4.0.15

Required to clear a chunk’s jumbo flag using the clearJumboFlag command. Apply this action to database or collection resources.

Included in the clusterManager built-in role.

enableSharding¶

Applicable Resources

The action can apply to either:

Database or collection resource to enable sharding for a database or shard a collection.
Cluster resource to perform various shard zone operations (Starting in version 4.2.2, 4.0.14, 3.6.16).

Resources Description

Database or

Collection

Grants users privileges to perform the following operations:

Enable sharding on a database using the enableSharding command, and
Shard a collection using the shardCollection command.

Cluster

Starting in version 4.2.2, 4.0.14, 3.6.16

Grants users privileges to perform the following shard zone operations:

You can also perform these shard zone operations if you have find/update actions on the appropriate collections in the config database. Refer to the specific operations for details.

refineCollectionShardKey¶

Provides privileges to refine the shard key for a sharded collection; i.e. run the refineCollectionShardKey command. Apply this action to database or collection resource.

Included in the clusterManager built-in role.

New in version 4.4.

flushRouterConfig¶: User can perform the flushRouterConfig command. Apply this action to the cluster resource.

getShardMap¶: User can perform the getShardMap command. Apply this action to the cluster resource.

getShardVersion¶: User can perform the getShardVersion command. Apply this action to database resources.

listShards¶: User can perform the listShards command. Apply this action to the cluster resource.

moveChunk¶: User can perform the moveChunk command. In addition, user can perform the movePrimary command provided that the privilege is applied to an appropriate database resource. Apply this action to database or collection resources.

removeShard¶: User can perform the removeShard command. Apply this action to the cluster resource.

shardingState¶: User can perform the shardingState command. Apply this action to the cluster resource.

splitChunk¶: User can perform the splitChunk command and the mergeChunks command. Apply this action to database or collection resources.

splitVector¶: User can perform the splitVector command. Apply this action to database or collection resources.

Server Administration Actions¶

applicationMessage¶: User can perform the logApplicationMessage command. Apply this action to the cluster resource.

closeAllDatabases¶: User can perform the closeAllDatabases command. Apply this action to the cluster resource.

collMod¶: User can perform the collMod command. Apply this action to database or collection resources.

compact¶: User can perform the compact command. Apply this action to database or collection resources.

connPoolSync¶: User can perform the connPoolSync command. Apply this action to the cluster resource.

convertToCapped¶: User can perform the convertToCapped command. Apply this action to database or collection resources.

dropConnections¶: User can perform the dropConnections command. Apply this action to the cluster resource.

dropDatabase¶: User can perform the dropDatabase command. Apply this action to database resources.

dropIndex¶: User can perform the dropIndexes command. Apply this action to database or collection resources.

forceUUID¶

New in version 3.6.

User can create a collection with a user-defined collection UUID using the applyOps command.

Apply this action to the cluster resource.

fsync¶: User can perform the fsync command. Apply this action to the cluster resource.

getDefaultRWConcern¶: User can issue the administrative getDefaultRWConcern command. Apply this action to the cluster resource.

getParameter¶: User can perform the getParameter command. Apply this action to the cluster resource.

hostInfo¶: Provides information about the server the MongoDB instance runs on. Apply this action to the cluster resource.

logRotate¶: User can perform the logRotate command. Apply this action to the cluster resource.

reIndex¶: User can perform the reIndex command. Apply this action to database or collection resources.

renameCollectionSameDB¶

Allows the user to rename collections on the current database using the renameCollection command. Apply this action to database resources.

Additionally, the user must either have find on the source collection or not have find on the destination collection.

If a collection with the new name already exists, the user must also have the dropCollection action on the destination collection.

setDefaultRWConcern¶: User can issue the administrative setDefaultRWConcern command. Apply this action to the cluster resource.

setParameter¶: User can perform the setParameter command. Apply this action to the cluster resource.

shutdown¶: User can perform the shutdown command. Apply this action to the cluster resource.

touch¶: User can perform the touch command. Apply this action to the cluster resource.

Session Actions¶

impersonate¶

New in version 3.6.

User can perform the killAllSessionsByPattern command with users and roles pattern. Apply this action to the cluster resource.

To run killAllSessionsByPattern command, users must also have killAnySession privileges on the cluster resource.

listSessions¶: New in version 3.6.

User can perform the $listSessions operation or $listLocalSessions operation for all users or specified user(s). Apply this action to the cluster resource.

killAnySession¶: New in version 3.6.

User can perform the killAllSessions and the killAllSessionsByPattern command. Apply this action to the cluster resource.

See also

impersonate

Free Monitoring Actions¶

checkFreeMonitoringStatus¶: User with this action on the cluster resource can check the status of Free Monitoring.

New in version 4.0.

setFreeMonitoring¶: User with this action on the cluster resource can enable or disable Free Monitoring.

New in version 4.0.

Diagnostic Actions¶

collStats¶: User can perform the collStats command. Apply this action to database or collection resources.

connPoolStats¶: User can perform the connPoolStats and the deprecated shardConnPoolStats commands. Apply this action to the cluster resource.

cursorInfo¶: User can perform the cursorInfo command. Apply this action to the cluster resource.

dbHash¶: User can perform the dbHash command. Apply this action to database or collection resources.

dbStats¶: User can perform the dbStats command. Apply this action to database resources.

getCmdLineOpts¶: User can perform the getCmdLineOpts command. Apply this action to the cluster resource.

getLog¶: User can perform the getLog command. Apply this action to the cluster resource.

indexStats¶: User can perform the indexStats command. Apply this action to database or collection resources.

Changed in version 3.0: MongoDB 3.0 removes the indexStats command.

listDatabases¶

User can perform the listDatabases command. Apply this action to the cluster resource.

For MongoDB 4.0.6+:: If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has privileges (including databases for which the user has privileges on specific collections) if the command is run with authorizedDatabases option unspecified or set to true.

For MongoDB 4.0.5:: If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege if the command is run with authorizedDatabases option unspecified or set to true.

For MongoDB 4.0.0-4.0.4:: If the user does not have the listDatabases privilege action, users can run the listDatabases command to return a list of databases for which the user has the find action privilege.

listCollections¶: User can perform the listCollections command. Apply this action to database resources.

Note

Starting in version 4.0, user without the required privilege can run the listCollections command with both authorizedCollections and nameOnly options set to true. In this case, the command returns just the name and type of the collection(s) to which the user has privileges.

listIndexes¶: User can perform the listIndexes command. Apply this action to database or collection resources.

netstat¶: User can perform the netstat command. Apply this action to the cluster resource.

serverStatus¶: User can perform the serverStatus command. Apply this action to the cluster resource.

validate¶: User can perform the validate command. Apply this action to database or collection resources.

top¶: User can perform the top command. Apply this action to the cluster resource.

Internal Actions¶

anyAction¶: Allows any action on a resource. Do not assign this action unless it is absolutely necessary.

internal¶: Allows internal actions. Do not assign this action unless it is absolutely necessary.

← Resource Document Create a Vulnerability Report →